VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 211 of 286
  • CVE-2020-2237MedAug 12, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.

  • CVE-2020-2215MedJul 2, 2020
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.

  • CVE-2020-15400MedJun 30, 2020
    risk 0.28cvss 4.3epss 0.00

    CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.

  • CVE-2019-16107MedMar 11, 2020
    risk 0.28cvss 4.3epss 0.00

    Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.

  • CVE-2020-7210MedJan 23, 2020
    risk 0.28cvss 4.3epss 0.01

    Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.

  • CVE-2020-5397MedJan 17, 2020
    risk 0.28cvss 5.3epss 0.02

    Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight…

  • CVE-2020-5501MedJan 15, 2020
    risk 0.28cvss 4.3epss 0.00

    phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.

  • CVE-2019-16569MedDec 17, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.

  • CVE-2019-10456MedOct 16, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10408MedSep 25, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.

  • CVE-2019-10388MedAug 7, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

  • CVE-2019-10331MedJun 11, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10321MedMay 31, 2019
    risk 0.28cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…

  • CVE-2018-17081MedSep 26, 2018
    risk 0.28cvss 4.3epss 0.01

    e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.

  • CVE-2018-15849MedAug 25, 2018
    risk 0.28cvss 4.3epss 0.00

    An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php.

  • CVE-2018-1455MedAug 15, 2018
    risk 0.28cvss 4.3epss 0.01

    IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.

  • CVE-2018-1000514MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.00

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.

  • CVE-2018-1514MedJun 7, 2018
    risk 0.28cvss 4.3epss 0.01

    IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.

  • CVE-2017-2613MedMay 15, 2018
    risk 0.28cvss 5.4epss 0.02

    jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

  • CVE-2018-1442MedMar 8, 2018
    risk 0.28cvss 4.3epss 0.01

    IBM Application Performance Management - Response Time Monitoring Agent (IBM Monitoring 8.1.4) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:…